1 2 Previous Next 15 Replies Latest reply on Feb 20, 2018 8:19 PM by Amy Barton

    yum --security update vs. yum --security update-minimal

    Amy Barton

      Hello All,

       

      I'd like to get your insights on the definitions on these two commands:

      yum --security update vs. yum --security update-minimal.

       

      Oracle definition located at https://docs.oracle.com/cd/E52668_01/E54669/html/ol7-security-yum.html

      To update all packages for which security-related errata are available to the latest versions of the packages, even if those packages include bug fixes or new features but not security errata, enter:

      # yum --security update

       

      To update all packages to the latest versions that contain security errata, ignoring any newer packages that do not contain security errata, enter:

      # yum --security update-minimal

       

      yum-security (8) manual  located at  https://www.systutorials.com/docs/linux/man/8-yum-security/

      To upgrade packages that have security errata (upgrades to the latest available package) use:

      yum --security update

      To upgrade packages that have security errata (upgrades to the last security errata package) use:

      yum --security update-minimal
      Can you see the the confusions these two definitions from two sources may cause? 
      How would you interprete them?
      Thank you,
      Amy
        • 1. Re: yum --security update vs. yum --security update-minimal
          Avi Miller-Oracle

          Perhaps an example with versions is needed:

           

          Assume package-1.0.0 is installed on your system. You don't upgrade for a while and the vendor releases package-1.0.1 which fixes a CVE (security release). You still don't upgrade and the vendor releases package-1.1.0 which includes the 1.0.1 CVE fix but also some bug fixes and perhaps even new functionality (bugfix or errata release).

           

          In this scenario:

           

          yum --security update will upgrade to package-1.1.0 (latest version including bugfix and/or enhancement releases)

          yum --security update-minimal will upgrade to package-1.0.1 (latest version that only includes security fixes).

           

          Does that make the difference more obvious?

           

          Edited to add that I don't really see the confusion between the definitions from the two locations. Perhaps if you could explain where your confusion is coming from I can look into getting the Oracle documentation updated to resolve that for you (and others).

          • 2. Re: yum --security update vs. yum --security update-minimal
            Amy Barton

            Hello Avi!

            In the scenario,

            1) 1.1.0 which includes the 1.0.1 CVE fix but also some bug fixes and perhaps even new functionality (bugfix or errata release).

            2) I haven't applied 1.0.1 CVE fix to my system

            yum --security update will update the package to the latest one 1.1.0 which includes bug fixes, security fixes and feature enhancements. This makes perfect sense, and I think this is what should happen. 

            Oracle states:

            yum --security update: update all packages for which security-related errata are available to the latest versions of the packages, even if those packages include bug fixes or new features but not security errata.

             

            What throws me off is these words "but not security errata". The statement doesn't say the latest includes the previous release of security updates as well as bug fixes and enhancements, instead it says "but not security errata",  which makes me wonder if yum --security update only updates the package to the latest one that only includes bug fixes and enhancements, if so, there is no need to perform yum --security update if one just wants to install security patches.   

             

            Simply put, if you only want to intall security updates, just run yum --security update-minimal. This will install the latest security updates only. Is this correct?

             

            Thanks for the example. Reading through your response and writing my response helped me undertand yum-security plug-in better. I may not need to use it, instead, I will use spacewalk.

             

            Amy

             

            • 3. Re: yum --security update vs. yum --security update-minimal
              Avi Miller-Oracle

              Actually, I think there is still a slight misunderstanding here. Let's go back to my original scenario, but add a few more steps:

               

              Assume package-1.0.0 is installed on your system. You don't upgrade for a while and the vendor releases package-1.0.1 which fixes a CVE (security release). You still don't upgrade and the vendor releases package-1.1.0 which includes the 1.0.1 CVE fix but also some bug fixes and perhaps even new functionality (bugfix or errata release).

               

              Now, assume there are some more updates: package-1.1.1, package-1.1.2, package-1.2.0. Let's further assume the following breakdown of what's including in each version:

               

              • 1.0.0 -> 1.0.1 (which a security-only fix).
              • 1.0.1 -> 1.1.0 (new feature; backwards compatible)
              • 1.1.0 -> 1.1.1 (bug fix)
              • 1.1.1 -> 1.1.2 (bug fix)
              • 1.1.2 -> 1.2.0 (new feature)

               

              Because patches are cumulative, 1.2.0 includes the security fix that was delivered as 1.0.1 as well as all the bug fixes and the new features.

               

              If you have package-1.0.0 installed and you run "yum --security update" you would get package-1.2.0, even though the 1.2.0 release contains no security update. It's the latest version of a package that is affected by a security vulnerability.

               

              If you have package-1.0.0 installed and you run "yum --security update-minimal", you would get package-1.0.1 because that's the minimal version required to resolve the security vulnerability.

               

              Note that using Spacewalk is complimentary to yum-security: Spacewalk generates the same errata metadata used by the yum-security plugin, so you can use both.

              • 4. Re: yum --security update vs. yum --security update-minimal
                Amy Barton

                Thank you Avi - very much appreciated!

                • 5. Re: yum --security update vs. yum --security update-minimal
                  Avi Miller-Oracle

                  You're welcome. Please remember to flag an answer and perhaps some posts as helpful so as to help others in future.

                  • 6. Re: yum --security update vs. yum --security update-minimal
                    Amy Barton

                    Hello Avi,

                     

                    One more question using ELSA-2018-0151 as an example. Although this advisory contains security and bug fixes, yum --security update-minimal still pick ups this advisory not a previous/another one that  contains security fix only. Can I interprete this behavior like this: ELSA-2018-0151 is the minimal version that fix a particular CVE. After all, bug fixes might just fix some security vulnerabilities.

                     

                    Amy

                    • 7. Re: yum --security update vs. yum --security update-minimal
                      Avi Miller-Oracle

                      Amy Barton wrote:

                       

                      Can I interprete this behavior like this: ELSA-2018-0151 is the minimal version that fix a particular CVE. After all, bug fixes might just fix some security vulnerabilities.

                      Sure. Or to put it another way: that's the minimal version to fix a particular CVE and get you get some bug fixes thrown in at no extra cost. In this case though, the bug fix was completely unrelated to the security fix.

                      • 8. Re: yum --security update vs. yum --security update-minimal
                        Amy Barton

                        All right, Avi. I am not going to continue to ask "If ELSA-2018-0151 contains non-security fixes, why yum --security update-minimal picks out this advisory which contradicts the Oracle doc definition".

                         

                        In addition to this ELSA, I also noticed that when I run "update-minimal" on my test server connected to ULN latest channel, it installed a new kernel package uek.x86_64 3.10.0-693.17.1 - which I don't need. It also asked me to upgrade gnome-packagekit-common-3.14.3.7.el7.x86_64 to the latest version in order to pass the prerequisite check. I didn't want to upgrade my gnome software, just wanted to apply security fixes. The result of upgrading the gnome software to the newest version gives me a "weird" Gnome Classic view which I don't want happen at this time.


                        I understand the "issues" may be more complex than we can discuss here. But I thought I would share my observations. Strictly speaking ”update-minimal" doesn't work the way it is said or designed to.  Just want the community to be aware. Is it fair to say?

                         

                        Amy

                        • 9. Re: yum --security update vs. yum --security update-minimal
                          Amy Barton

                          Clarification - Disregard the previous one.

                           

                          All right, Avi. I am not going to continue to ask "If ELSA-2018-0151 contains bug fixes that are not security related, why yum --security update-minimal picks out this advisory which contradicts the Oracle doc definition".

                           

                          In addition to this ELSA, I also noticed that when I run "update-minimal" on my test server connected to ULN latest channel, it installed a new kernel package uek.x86_64 3.10.0-693.17.1 - which I don't need. It also asked me to upgrade gnome-packagekit-common-3.14.3.7.el7.x86_64 to the latest version in order to pass the prerequisite check. I didn't want to upgrade my gnome software, just wanted to apply security fixes. The result of upgrading the gnome software to the newest version gives me a "weird" Gnome Classic view which I don't want happen at this time.

                           

                          I understand the "issues" may be more complex than we can discuss here. But I thought I would share my observations. Strictly speaking ”update-minimal" doesn't work the way it is said or designed to.  Just want the community to be aware. Is it fair to say?

                           

                          Amy

                          • 10. Re: yum --security update vs. yum --security update-minimal
                            Avi Miller-Oracle

                            Amy Barton wrote:

                             

                            All right, Avi. I am not going to continue to ask "If ELSA-2018-0151 contains bug fixes that are not security related, why yum --security update-minimal picks out this advisory which contradicts the Oracle doc definition".

                             

                            In addition to this ELSA, I also noticed that when I run "update-minimal" on my test server connected to ULN latest channel, it installed a new kernel package uek.x86_64 3.10.0-693.17.1 - which I don't need. It also asked me to upgrade gnome-packagekit-common-3.14.3.7.el7.x86_64 to the latest version in order to pass the prerequisite check. I didn't want to upgrade my gnome software, just wanted to apply security fixes. The result of upgrading the gnome software to the newest version gives me a "weird" Gnome Classic view which I don't want happen at this time.

                            There's a lot to unpack here and some of it is contradictory: ELSA-2018-0151 is a security advisory and addresses five CVEs. If you run yum --security update-minimal, you will absolutely get updated to kernel-3.10.0-693.17.1 because that's what was released via ELSA-2018-0151. The fact that it also contains a single bugfix for the IBM s390 platform is not something we (as Oracle) can control, because this was an update from our upstream vendor.

                             

                            Then, depending on when you installed this server and when you ran yum --security update-minimal, you would've received one of several ELSAs for the Unbreakable Enterprise Kernel R4, including ELSA-2018-4021, ELSA-2018-4021 or ELSA-2018-4025. Because of the Meltdown and Spectre vulnerabilities, we have been continually updating new builds of the UEK to address further Spectre mitigations in particular. The latest ELSA-2015-4025 would install kernel-uek-4.1.12-112.14.14.

                             

                            I'm not entirely sure where exactly the gnome-packagekit-common is being pulled in from, but it would be a dependency from another package which has to be updated for security purposes. Something to keep in mind is that update-minimal can't control the dependencies of the packages it has to update for security purposes. For example, if update-minimal pulls in package-1.2.0 because it has a security fix and package-1.2.0 depends on library-2.0.0 (and you only have library-1.5 installed) then it has to be updated, even though the update to library-2.0.0 is not strictly speaking a security update. The dependencies, including minimum package version, have to be maintained across all packages to ensure the RPM database is consistent.

                             

                            Some handy references to make your life a bit easier:

                             

                             

                            In particular I suggest subscribing to either the mailing list (old school!) or Twitter feed so you're notified every time we release an errata, whether it's security, bugfix or enhancement. You can also use our databases to look up the errata by CVE or CVE by errata to correlate updates to actual CVEs.

                            • 11. Re: yum --security update vs. yum --security update-minimal
                              Amy Barton

                              I appreciate your time and prompt response. Just want to add a couple of additional comments:

                              1) In your response, you said that an update is from an upstream vendor and oracle doesn't have control over it. I thought each ELSA is oracle's version of fixes, oracle should have control over what to include or what not to include in each ELSA, as ELSA-2018-4025 includes the latest EUK kernel 4, but it might be very costing to tweak an update from the upstream. Whether there is a need for this or not is a different issue.

                              2) I pull down all my updates or new rpms from Oracle ULN. What puzzles me is yum automatically resolved all other dependencies but not  gnome-packagekit-common, which I had to manually install the latest one in order to pass the transition check.

                               

                              Simply put, use security update-minimal if you want your system to have the minimal changes but want to keep up to date with security fixes. Be aware security update-minimal installs

                              new rpms or bug fixes that may be included in a security advisory. Is it safe to draw this conclusion?

                               

                              Again, thank you for your time - I have learned a lot!

                              Amy

                               

                              • 12. Re: yum --security update vs. yum --security update-minimal
                                Avi Miller-Oracle

                                Hey Amy, you're welcome.

                                 

                                1. Oracle Linux is a 100% compatible binary recompilation of Red Hat Enterprise Linux. therefore, most of our packages are compiled unmodified from the Red Hat source code. In that case, we make no changes downstream so that we remain 100% compatible with Red Hat (bugs and all). However, the UEK is not based on Red Hat source code, it is based on the mainline Linux kernel source code and is developed internally at Oracle. Therefore, an ELSA for the UEK is totally within our cotrol.

                                 

                                2. This is weird: if an updated gnome-packagekit-common is required, then it should be automatically pulled in for you. If it's not required, then the upgrade should work without it. But it's difficult to know exactly what happened without the entire output of the yum command, particularly the one that failed before you manually updated that package.

                                 

                                And your conclusion is correct.

                                • 13. Re: yum --security update vs. yum --security update-minimal
                                  Amy Barton

                                  Avi,

                                  This is what I did:

                                   

                                  # yum --security update-minimal

                                  Then it states:

                                  Transaction check error

                                  /usr/share/dbus-l/services/org.freedesktip.PackageKit.service from install of gnome-software-3.22.7-1.el7.x86_64 confilicts with file from package gnome-packagekit-common-3.14.3.7.el7.x86_64.

                                   

                                  After seeing this error, I manually upgraded the gnome software to the latest version

                                  Re-run # yum --security update-minimal and succeeded!

                                   

                                  Amy

                                  • 14. Re: yum --security update vs. yum --security update-minimal
                                    Avi Miller-Oracle

                                    Do you have an Oracle Linux support subscription? If so, it would be great if you could open an SR for this, because it seems like a bug to me. To be honest, I rarely install a GUI on Oracle Linux (command-line forever!) so I haven't seen this myself, but if there is a file conflict, we either need to fix the packages to resolve it or document it as a known issue.

                                    1 2 Previous Next